Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Communications from remote site behind firewall over IPSEC tunnel


I wonder if anyone can help with this situation.

We have a number of remote sites which connect into our head office using ADSL.

The remote sites have Cisco 837 routers and communicate with head office over IPSEC tunnel which terminates on our PIX515E.

All this has been working fine.

We've recently connected another customer to our head office using the same method.

However, at the customer's end, their devices sit behind another firewall (a PIX I think) which connects to the Cisco 837 ADSL router and then to our Head Office.

The problem is, we can't get communications to work between the users behind their firewall and our head office network.

We can communicate from devices on our head office LAN to the remote site's ADSL router's Ethernet subnet no problem.

If they connect a laptop straight into the ADSL router, configured with an address on the same ethernet subnet then, again, they can communicate with our head office devices no problem.

But if they try to connect through their firewall then their attempts just timeout.

I don't know much about their set-up other than they have a global (outside) address configured which is in the same address range as the Ethernet subnet of the ADSL router.

This address translates to their internal IP address range (of which we have no knowledge).

When I enabled cache flowing to look at the conversations through the router, I can see some connections between their firewall IP address and IP addresses on our head office subnet. Though there are only ever 2 or 3 packets whenever they attempt a connection. The users just see the connections eventually timing out.

Does anyone have any ideas what the problem could be? I'd really appreciate it as I'm getting nowhere fast at the moment!


Re: Communications from remote site behind firewall over IPSEC t


Could be NAT issues at the other end. Are they doing NAT on the 837 and the pix?.


New Member

Re: Communications from remote site behind firewall over IPSEC t

On the 837, its configured to do NAT translation on any packets destined for the outside world (i.e. internet)

But for packets destined for our Head Office LAN from the Ethernet subnet of the 837, its configured to not NAT translate them but encrypt them over the IPSEC tunnel.

I don't really know what they have configured on their firewall but I assume its doing translation of some sort between their inside network and outside subnet where the ADSL router is located.

New Member

Re: Communications from remote site behind firewall over IPSEC t

Problem solved though no idea how! It just seemed to start working of its own accord! Bizarre, but at least its working now.

New Member

Re: Communications from remote site behind firewall over IPSEC t

Looks like I spoke too soon.

This has stopped working again! I know for certain that nothing has changed on our side of the network and the customer tells me that nothing has changed on their side either.

When it was working, if I looked at the netflow cache on the ADSL router, I could see connections between the customers firewall IP Address (on same ethernet subnet as the ADSL router) and our head office servers.

When it stopped working, I could no longer see any attempted connection between the customer's firewall and our head office servers.

However, the customer was able to telnet to the ADSL router ok and, in this case, I could see the connection ok.

But why should this have suddenly stopped working? It doesnt seem to make any sense! Anyone got any suggestions? Im getting desperate now!


Re: Communications from remote site behind firewall over IPSEC t


If you are seeing the firewall ip address talking to your servers then it means they are doing PAT on the other end. If the ip addresses on the ethernet side of the 837 are rfc 1918 addresses then have them configure a global range of addresse on the pix not just one address so that they have one-on-one static translation.

Alternatively you can have them do a NAT 0 on their pix so that their internal ip address are not natted

hope this helps

New Member

Re: Communications from remote site behind firewall over IPSEC t


thanks, thats very helpful.

I think you are right and that they are doing PAT - but can you explain more about why this should cause a problem? Will this set-up not work with them using PAT?

(Also, the IP addresses on the Ethernet side of the 837 are not RFC 1918 addresses)

What I can't understand as why this seems to have been working for a few hours then suddenly stopped working again?

Any more suggestions/advice would be very welcome!

New Member

Re: Communications from remote site behind firewall over IPSEC t

I'm still not having any luck with this so I'm shamelessly bumping it up in case anyone else can help!

Just to recap on the situation - this is the set-up:

Customer LAN--Customer FW--ADSL router--(Internet)--Head Office PIX 515E--Head Office Router--Head Office servers

The customer LAN and Customer Firewall is outwith my control - I believe they have a PIX.

The ADSL router is a Cisco 837 running 12.3(2)XE3

The Head Office firewall is a PIX515E running 6.3(5)

An IPSEC tunnel has been established between the head office PIX and the ADSL router.

The ADSL router is configured to send traffic from the address range on its Ethernet subnet to the Head Office servers over the IPSEC tunnel. (Any other traffic will be NAT'd and sent to the internet)

The Head Office PIX has been configured to exempt traffic from the Head Office servers to the customer's LAN from the NAT process and sends it over the IPSEC tunnel established with the ADSL router.

We have this set-up running at a large number of sites without any problem. The only difference in this case is the Customer's LAN is behind a firewall. (For the other sites we have, their LAN is directly connected into the ADSL router)

I can connect between the ADSL router and the Head office servers without any problem. The tunnel is established (sh crypto isakmp sa) and traffic has been encrypted/decrpyted (sh crypto ipsec sa)

If the Customer plugs a device directly into the same LAN as the Ethernet subnet on the ADSL router, they can communicate with our servers without a problem.

If the Customer attempts to connect from behind their firewall to our Head Office servers, the connections are timing out.

However, it was successfully running for a couple of hours. When it was working, I was able to see connections from their Firewall IP (address in same subnet as Ethernet interface of ADSL router) and the Head office servers using the netflow commands on the ADSL router. (So I assume they are using PAT to hide the internal addresses on their LAN)

On the PIX firewall at Head Office, I could also see TCP connections (Remote Desktop) between the servers and the customer's firewall IP.

This suddenly stopped working. I can't see any sign of any problems on the logs in the ADSL router or on the PIX firewall at Head Office. (I can see TCP connections between the servers and the Customer's FW IP have been reset from outside, not sure if this is significant?)

After that, I just don't see anymore traffic from the Customer's FW to our head office servers at all.

But I can still connect to the ADSL router ok from our Head Office LAN, the tunnel is up and established and everything seems to be ok!

Can anyone give any help as to where the problem is and how to resolve this? I'm really struggling now! I would say it seems to be something at the customer's firewall but they are insistent that they have everything configured correctly to route traffice for our head office servers via the ADSL router.

Anyone got any more ideas?


CreatePlease login to create content